PCI V3 - are you confidant that you are now compliant? And what do you do next? We look at how you should ensure you are implementing the requirements of PCI v3 correctly to ensure that you do not fall short of compliance, and where that might happen. Register to find out more!

SC Magazine's SC Congress returned to London on 3 March, 2015 with an all new programme! Hundreds of industry insiders attended the full day of hard-hitting information security news and solutions from leaders in their fields.
Check back soon for information on the next SC Congress.

When should you ban personal mobile use? Is Choose your own device appropriate, or can you safely harness the cost savings of Bring Your Own Device? Register today for this free editorial webcast to find out more as disucss..

E-Biometrics - Has your keyboard been faithful?

For decades, we have relied on a simple ‘two-pronged key' to allow us into virtually any computer system on the planet: the veritable userID/password combination.

First implemented in 1961 at Massachusetts Institute of Technology (MIT), this approach was a leading-edge paradigm to security at the time, but that was over 50 years ago.

In today's world, it has been proven time and again that this same basic authentication structure is an insufficient barrier to entry to most systems, from home banking, to gaming, to mission critical infrastructure. However, by and large we haven't progressed pass that old ‘two pronged key' approach to opening even the most important systems.

The weak connection between human users and their digital identities is often the vulnerability exploited in attacks on information systems. We naively rely on traditional authentication mechanisms (e.g. Windows login/password) to secure our identities, and to present an obstacle to those attacks. Other approaches have been tried, such as iris scanners or random number generators, but they are costly and cumbersome.

Further, they authenticate only at the moment of sign-on and after that, they are dormant. As a result of this dormancy, whether weak or strong, traditional authentication mechanisms are an incomplete solution to the issue and there are many reasons why their lack of continuous identity verification is a severe access control vulnerability.

For example, failing to exercise adequate vigilance after the initial authentication (such as when going to the bathroom while leaving the computer unlocked) offers an opportunity for intruders to cause great harm to companies and individuals.

To overcome this, security researchers have been working to develop intrusion detection systems that transparently and continuously monitor the user's interaction with the keyboard, searching for proof of intrusion. To be able to distinguish between two human users (one authorised, and the other an ‘intruder'), this system leverages a form of biometrics, namely a behavioural biometric modality known as keystroke dynamics.

What is keystroke dynamics? Quite simply, keystroke dynamics is the science of analysing the way you type. It takes into account your particular rhythm, tempo, combinations and pressure applied to the keys: in essence determining your own unique ‘digital fingerprint'.

Typing is a learned behaviour influenced by distinctive neuro-physiological factors, which means that every user develops unique finger motions for typing various combinations of keys. This process, known as muscular memory, is responsible for the human user's reliable consistency in typing well-trained key sequences.

Keystroke dynamics does not register ‘what' is being typed on the system, but rather ‘how' it is being typed. It is a statistical analysis tool that learns the legitimate user's typing behaviour solely through the recording of his/her unique typing rhythms and timing measurements.

These include such parameters as the user's dwell times (time elapsed with a key pressed down) and ‘flight times' (time elapsed on the travel between consecutive keys). Since there is no external hardware system required, keystroke dynamics is at the forefront of the new generation of software-only e-Biometrics that are now coming of age.

Like any biometric system, keystroke dynamics has an initial enrolment phase, where the legitimate user is required to type on his computer for a while – a two-page text document would normally suffice. Once enough rhythms and patterns are gathered to build a reliable biometric profile, the system is ready to start detecting unauthorised interactions with the legitimate user's system.

Leading commercial keystroke dynamics systems can be very reliable in detecting intruders, with over 99 per cent accuracy. The best part is that the user doesn't even notice it. A well-designed keystroke dynamics solution is designed to run in the background, feeding off the typing rhythms produced by legitimate users in their daily routine (never asking for dedicated text input).

From a commercial perspective, it is also one of the most inexpensive methods of strong security – no extra biometrics hardware is required, as the user's computer and keyboard are all that is necessary.

Keystroke dynamics is a silent revolution in personal security, offering continuous identity verification with no real concessions. It moves the authentication process up one level from ‘what does this user know' (i.e. userID and password) up to ‘who really is this attempting to access the system?'

In addition, it evolves the authentication process from a single moment-in-time verification to one that is constantly vigilant the entire time the user is on the system.

João Silva Ferreira is principal engineer for the field of biometrics at Watchful Software

Watchful Software is exhibiting at Infosecurity Europe 2013, held on 23rd – 25th April 2013 at Earl's Court, London. The event provides an unrivalled free education program, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk/.

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.